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A Note To THE READER 


There are an unlimited number of legal and technical variables 

in any criminal investigation involving digital evidence that will 
determine the appropriate course of action in a particular case. 

This guide is intended to serve as a basic educational resource for 
law enforcement officers encountering digital evidence in criminal 
investigations. This guide does not and should not be interpreted as 
a policy or legal document. Law enforcement agents seizing digital 
evidence should contact their local prosecutor or agency counsel 
with requests for legal guidance. Within this guide you will find forms 
frequently used in the collection of digital evidence. These forms are 
designed for you to photocopy to letterhead for ease of use. 


ADDITIONAL ASSISTANCE 


If you need further assistance in the seizure of digital evidence, or 
you are in an emergency situation requiring immediate assistance, 
please contact a digital evidence analyst in your jurisdiction. 
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ADDITIONAL DIGITAL EVIDENCE First RESPONDER 
RESOURCES 


United States Secret Service: 
Best Practices for Seizing Electronic Evidence 
http://www. forwardedge2.usss.gov/pdf/bestPractices.pdf 


National Institute of Justice: 
Forensic Examination of Digital Evidence: A Guide for Law 
Enforcement 


https://www.ncjrs.gov/pdffilesl/nij/199408.pdf 


National Institute of Justice: 

Electronic Crime Scene Investigation: A Guide for First Responders, 
Second Edition 

https://www.ncjrs.gov/pdffiles] /nij/219941 .pdf 


National Institute of Justice: 

Electronic Crime Scene Investigation: An On-the-Scene Reference for 
First Responders 

https://www.ncjrs.gov/pdffilesl/nij/227050.pdf 


National Institute of Justice: 
Digital Evidence in the Courtroom: A Guide for Law Enforcement 


and Prosecutors 
https://www.ncjrs.gov/pdffilesl/nij/211314.pdf 


Department of Justice: 

Searching and Seizing Computers and Obtaining Electronic 
Evidence in Criminal Investigations 
http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf 
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INTERVIEW AND INTERROGATION QUESTIONS 
FOR CRIMES INVOLVING DIGITAL EVIDENCE 


Always obtain passwords and/or security codes 
for all pieces of digital evidence. 


Where are the digital crime scenes? These crime scenes may 
include: (1) locations within the jurisdiction, like homes, where 
computers and other digital devices are located; (2) offices 
and business networks; and (3) third-party providers like 
internet or cellular service providers. The legal and technical 
considerations for digital evidence collection vary depending 
upon the type of crime scene. 


Is there an ongoing risk of injury or loss to any person or 
property? 

. What is the motive for the offense? Determining motive will 
help the investigator locate essential witnesses and critical 
evidence. 


. What computers, mobile devices, digital media, or internet 
accounts do the victims, witnesses, and suspects use? How 
and where do these individuals access these systems and/or 
devices? 


Is evidence of the crime also held by a third party 

internet, cellular, or remote computing service provider? 

If so, collection of the information may be subject to the 
provisions of federal and state statutes pertaining to law 
enforcement access to records and communications held 
by these providers. Preserve any records, communications, 
or subscriber information held by these providers using the 
freeze order in this Guide, then consult with legal counsel or 
your local prosecutor. To find appropriate law enforcement 
contacts at these companies, visit 
www.search.org/programs/hightech/isp/. 


Page 3 


INTERVIEW AND INTERROGATION QUESTIONS 
FOR CRIMES INVOLVING DIGITAL EVIDENCE 


Always obtain passwords and/or security codes 
for all pieces of digital evidence. 


For computer systems, what is the name of each person who 
uses the computer? What are each users’ account name(s), 
privileges, passwords, and usage habits? 


For computer systems and mobile devices, what operating 
system is installed? What applications on the computer or 
mobile device relate to the current investigation? 


. Are there any data encryption, security, or backup 


applications installed on the device? What are the names 
of the applications, and passwords to bypass the security? 
Where is backup data saved? (ie. cloud account, removable 
media, computer system, etc.) 


What internet-based (ie. social network, web, electronic 
mail, etc.) or cellular services or accounts do the witnesses 
and suspects in your case use? How are they accessed by 
the user? What are the user names and passwords? Does 
anyone else have access to or use these accounts? 


. Has the witness or suspect lost, lent out, allowed access to, or 
experienced problems with a device or computer that contains 
evidence? If the answer is yes, ask for a detailed explanation. 
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Step 1 - Document the device and all collection 
procedures and information 


* Photograph 

* Video 

* Sketch 

* Notes 

* Chain of custody 


BlackBerry Classic 


Step 2 - Determine if the device is on or off 


* Look for lights 
* Listen for sounds 
* Feel for vibrations or heat 


NOTE - Many mobile devices save power by 
turning off screens after a specified amount of 
time. Despite the screen status, the device is 
likely still active. Ask if the device is currently 
powered on. Where legal, pressing the home 
button quickly will activate the screen. 


Android unlock screen 


Step 3 - If the device is 
off, do not turn it on 


* Collect and package (see Step 5) 
* Ask for password/pass pattern 
* Transport. (see Step 6) 


Apple iPhone 6 and 6 Plus 
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Step 4 - If the device is on, proceed with 
caution 


WARNING - The two most significant challenges 
for officers seizing mobile devices are: (1) 
isolating the device from cellular and Wi-Fi 
networks; and (2) obtaining security passwords 
or pass patterns for the device so the evidence 
can be examined forensically. Always ask if there 
is any security feature enabled on the phone. 
These can include passwords (simple or complex), security/wiping 
apps, pass patterns, or biometrics (facial scan). Document (see 

the attached consent form for guidance) and confirm the password 
or pass pattern. Turning the device off could result in the loss of 
evidence. The best option is to keep the device powered, unlocked 
(if locked, collect any available passwords, PIN codes, or security 
unlock information), and in airplane mode until it is in the hands of 


Samsung Galaxy S6 


an experience technician. 


Step 5 - Collection and Package 


WARNING - You may need to collect other 
forensic evidence including fingerprints, biological 
samples, DNA, etc. from smartphones and mobile 
devices. Work with crime scene technicians 
inem or trained forensic personnel to preserve such 
Faraday Bag evidence without disturbing the integrity of the 
data on the device. Be sure to advise forensic examiners in advance 
of submission of the possible existence of hazardous material on the 


device. 


* Secure data and power cables 

* Consider collecting computers that may contain 
device backups 

* Package the device so it will not be physically 
damaged or deformed 

* Package the device in evidence bags or boxes 


Step 6 - Transport 


* Deliver evidence to a secure law enforcement facility 
or digital evidence laboratory as soon as possible 
* Protect from temperature extremes and moisture 
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FREQUENTLY SEIZED DEVICES — 
LAPTOP AND DESKTOP COMPUTER SYSTEMS 


Step 1 - Document the System 


* Photograph 

* Video 

* Sketch 

* Notes 

* Chain of custody 


Step 2 - Determine if the system is on or off 


* Apply the "Look, Listen, and Feel" test 
* Look for flashing lights, listen for sounds, and feel 
for heat or vibrations 


Step 3 - If the system is off, do not turn it on 


* Disassemble (see Step 5) 
* Transport (see Step 6) 


Step 4 — If the system is on, proceed with CAUTION 


* Do not type, click the mouse, or explore files or 
directories without advanced training or expert 
consultation 

* Ask about passwords and/or encryption 

of the system 

* Observe the screen, and look for any 

running programs that indicate access 

to internet-based accounts, open files, 

encryption, or the presence of files or data 

= of potential evidentiary value 

-= * |f you see anything on the screen that 
concerns you or needs to be preserved, consult with 
an expert (if you don't know who to contact, call the 
number on the inside cover of this manual) 

* Photograph the screen 

* Once you are prepared to power 
down the system, pull the plug from 
the back of the computer system 

* Remove the battery from a laptop 
system 
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Step 5 — Disassemble and package the system 


WARNING - You may need to collect other forensic evidence 
including fingerprints, biological samples, DNA, etc. from 
computer systems, digital devices, and electronic media. Work 
with crime scene service technicians or trained forensic personnel 
to preserve such evidence without disturbing the integrity of the 
digital media. 


* Photograph the system from all 
perspectives 

* Clearly mark evidence and document 
chain of custody, location, and other 
important details about the seized 


item(s) 
* Disconnect and secure cables ul 
* Check media ports and cd/dvd trays for mel 


the presence of removable media 

* Package the system, and peripheral 
devices, for transport using laptop bags (if 
applicable), boxes, or evidence bags 


Step 6 — Transport 


* Protect from temperature extremes and moisture 

* Do not place evidence in the cruiser's trunk 

* Protect from electro-static discharge 

* Package evidence so it will not be physically 
damaged or deformed 

* Deliver evidence to a secure law enforcement facility 
or digital evidence laboratory as soon as practicable 
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OTHER COMMONLY SEIZED DEVICES 
THAT May Store DIGITAL EVIDENCE 


There are many other storage media and technical devices that 
may process and store digital evidence. Examples of these devices 
include media cards (ie. secure digital, SIM, flash, 
memory sticks), thumb drives, optical media (ie. CD, 
DVD, and Blu-ray), digital cameras, MP3 players, 
iPods, servers, surveillance systems, gaming stations 
(ie. Xbox, PlayStation, Wii), and GPS devices. 


MicroSD Card 


Each of these devices is capable of holding 
significant digital evidence that will help your case. 
And each is handled in a separate way. Seizure 

of these items should be performed with special 
care. Consider working with an experienced digital 
evidence analyst to collect these items. 


Blu-ray Disc 


Step 1 - Document the device and all collection procedures and 
information 


* Photograph 
* Video 
* Sketch 
* Notes 
* Chain of custody Sony PlayStation 4 


Step 2 - For items that have power, determine if the device is 
on or off 
* Look for lights 


* Listen for sounds 
* Feel for vibrations or heat 


Step 3 - Ask if there are any security features 
enabled on the device including passwords or 
encrypted file protection. 


/ | > Step 4 - If the device is off, do not turn if on 
LN, ep vi 


* Collect and package (see Step 6) 
USB drive * Transport (see Step 7) 
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Step 5 - While assessing, collecting, packaging, and 
transporting, follow these device-specific rules 


* Only trained personnel should collect data from a server. 
If you don't know what you are doing, stop and call an 
expert. Be careful when asking for the assistance of 
information technology or other personnel on-site 

* GPS devices, MP3 players, and digital cameras 

should be turned off to secure data. Be sure to ask 

for any passwords or security features 

* |f available, paper evidence bags, or static-free 

evidence bags, are best for the storage of media 

Garmin GPS * Media contained in binders or carriers should 

remain in the container 

* Be careful not to scratch optical media during seizure. 

* Gaming stations should be seized in the same manner as 
computers 


WARNING - Collecting evidence from surveillance systems can be 
difficult. Time is of the essence as digital surveillance systems often 
have proprietary software and hardware needs for playback. Speak 
to your prosecutor or agency legal counsel when making a decision 
about the seizure of a digital surveillance system as opposed to 
footage or segments of video extracted from the system. Also, be 
sure to get the company and installer name and contact information 
for the person that installed or maintains the system. 


Step 6 - Collection and Package 


* Follow chain-of-custody procedures 

* Secure data and power cables 

* Label the evidence container(s), not the device(s) 

* Package the device so it will not be physically damaged 
or deformed 


* Package the device in 
evidence bags or boxes 
Step 7 - Transport Microsoft Xbox One 


* Deliver evidence to a secure law enforcement facility 
or digital evidence laboratory as soon as practicable 
* Protect from temperature extremes and moisture 
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Members of the MDEC Executive Board represent the following agencies 


SUPPORTING 
MASSACHUSETTS 
PROSECUTORS 


AA 


* massachusetts District Attorneys Association 


OFFICER SAFETY IS TOP PRIORITY 


Do... 


Make sure you are lawfully present and have appropriate legal 
authority to conduct the search. 


Secure the scene. 
Make sketches and/or take photos. 
Consult technical experts as needed. 


Use seizure form if collecting digital evidence. 


Do Not... 


Turn on computers or other digital devices. 


Touch a computer if it is ‘on’ unless you are properly trained. 


Allow anyone access to computers or other digital devices. 


